Sign out Link with Reverse Proxy & SSO

[luckylinux]

Is there an existing issue for this?

• I have searched the existing open and closed issues

Is your feature request related to a problem? Please describe

The Sign-Out Link could be improved.

On one Hand, if Authentication is disabled, then the Sign Out Link should not be shown at all (right now it is shown anyways).

On the other Hand, since I just implemented Reverse Proxy SSO with Authentik Proxy Outpost, having the Sign Out Link pointing to the correct Target would be way better 😉.

As it is right now, nothing Happens (obviously) when I click it, since I am NOT authenticated via NetAlertX itself.

I'll do a PR for the Documentation on how to setup Caddy Reverse Proxy + Authentik Outpost Proxy SSO soon 😉.

Describe the solution you'd like

I don't want to mess too much of your Code and in particular the Application Settings for app.conf I would prefer that implement the Change @jokob-sk, because I think there are also quite a few Tests & some JSON Files to adjust correctly.

This is the Relevant Part in front/php/templates/header.php at https://github.com/jokob-sk/NetAlertX/blob/main/front/php/templates/header.php#L255:

<li class="user-footer">
    <div class="pull-right">
        <a href="index.php?action=logout" class="btn btn-danger"><?= lang('About_Exit');?></a>
    </div>
</li>

I would suggest to use a Variable called SETPWD_SIGNOUT_LINK_TARGET (or something along those Lines, please feel free to come up with a better Name 😉) with the following Logic (pseudo-Code):

if SETPWD_enable_password is True:
    # Password Authentication is enabled
    # Keep the Sign-Out Link as it is
    signout_link = "index.php?action=logout"

else:
    # Password Authentication is disabled
    # Either we don't have any Authentication at all or we use SSO
    # Alternatively if no signout Target is Set we could consider just aborting everything since it's completely unsafe ? Could be a startup self-test.

    if SETPWD_SIGNOUT_LINK_TARGET == "":
        # Authentication is disabled for Real
        # Don't even show the Button
        signout_link = ""
    else:
        # Authentication is disabled but we configured SSO so we use that Sign-Out Link instead
        signout_link = SETPWD_SIGNOUT_LINK_TARGET

I would set (for Authentik SSO with Authentik Outpost Proxy):

SETPWD_SIGNOUT_LINK_TARGET = "https://netalertx.MYDOMAIN.TLD/outpost.goauthentik.io/sign_out"

Then in the Template (pseudo-Code) basically decide whether to show the Sign-Out Button or not:

{% if signout_link != "" %}
              <li class="user-footer">
                <div class="pull-right">
                  <a href="{{signout_link}}" class="btn btn-danger"><?= lang('About_Exit');?></a>
                </div>
              </li>
{% endif %}

Describe alternatives you've considered

If could also be possible to implement a Select-Box with something along the Lines of a SIGNIN_TYPE with Possible Values:

• (None)
• Built-In
• Authentik SSO

And then do the Logic on the Server-Side. Basically just give an Option to select the Type of Login / Authentication, but implement the URLs in the Code.

This would however be less flexible and require updates & newer Entries if new SSO Providers are added.

Anything else?

I can help with the Documentation to setup Reverse Proxy + SSO (Authentik Proxy Outpost is by far the easiest in my Experience).

Basically I just need to take my compose.yml Files (I'll provide also Podman Quadlets as an alternative), .env* Files, Caddyfile and redact some of the Information, plus obviously provide some Screenshots.

Am I willing to test this? 🧪

• I will do my best to test this feature on the netlertx-dev image when requested within 48h and report bugs to help deliver a great user experience for everyone and not to break existing installations.

Can I help implement this? 👩‍💻👨‍💻

• Yes
• No

[luckylinux]

@jokob-sk: I started adding Caddy + Podman + Authentik SSO Information in the REVERSE_PROXY Documentation Page.

https://github.com/luckylinux/NetAlertX/blob/add-caddy-and-authentik-sso-documentation/docs/REVERSE_PROXY.md

There are some Formatting Issues unfortunately though 😕.

EDIT 1: moved the Documentation of the Mentioned Caddy + Podman + Authentik SSO to a separate Issue -> #1403

[adamoutler]

Seems pretty straight forward. On line https://github.com/netalertx/NetAlertX/blob/main/front/php/templates/header.php#L256

              <!-- Menu Body -->

              <?php
                $logout_url = "";
                // Check if internal password auth is enabled
                if (getenv('SETPWD_enable_password') === "true") {
                    $logout_url = "index.php?action=logout";
                }
                // If internal auth is disabled but an SSO target is set, use that
                elseif (getenv('SETPWD_SIGNOUT_LINK_TARGET')) {
                    $logout_url = getenv('SETPWD_SIGNOUT_LINK_TARGET');
                }
              ?>

              <?php if ($logout_url != ""): ?>
              <li class="user-footer">
                <div class="pull-right">
                  <a href="<?php echo $logout_url; ?>" class="btn btn-danger"><?= lang('About_Exit');?></a>
                </div>
              </li>
              <?php endif; ?>

However I'd never push this out without testing. Can someone here make a test in the devcontainer then point their authentik at it?

You can test this in a Codespaces

or you can clone the code in VSCode and it should prompt to open the devcontainer automatically.

[luckylinux]

I never used Devcontainers / Codespaces so no clue about how that would work, particularly with something like Authentik which is effectively an "external" Resource (within my LAN).

I previously just built a Podman Container based on the latest main Branch (or specific Commit). I might have bind-mounted something "live" inside the running Container (Quadlet/Compose) in case I wanted to test a "quick Fix".

@adamoutler: is there a Guideline on the use of lower and upper cases in Variable Names by the Way ? It's a bit confusing to have SETPWD_enable_password and SETPWD_SIGNOUT_LINK_TARGET.

When working with Docker Containers I'm used to have all Variables all-Caps (which is why my Suggestion was like that). I actually don't recall other cases of lowercase or mix of lower/upper Case Variables with any Containers I used so far (besides NetAlertX, that is).

[luckylinux]

@adamoutler: It's been a while since I used PHP so maybe it's just a Stupid Question ... are you sure your if is correct ? I never recall having used === back then, just == (2 equal Signs instead of 3 basically).

I just gave it a quick test with a newly build "real" Docker Container and it does NOT work. Nothing is getting displayed 😕.

I tried to add this to .env.server

# Sign-out for Authentik
SETPWD_SIGNOUT_LINK_TARGET=https://netalertx.MYDOMAIN.TLD/outpost.goauthentik.io/sign_out

Since that failed, I also tried a "Quick-Fix" by modifying app.conf (unsure if this works though since I didn't also update that long JSON File I believe, basically the Description for the WebUI Settings Editor):

SETPWD_SIGNOUT_LINK_TARGET='https://netalertx.MYDOMAIN.TLD/outpost.goauthentik.io/sign_out'
SETPWD_SIGNOUT_LINK_TARGET__metadata="{}"

Obviously I cleared Cache before refreshing the Page once again.

By the Way, with the latest main Branch and this Modification here, also the Popup about requiring to click OK, force refresh Browser Cache & clear Application Cache is NOT showing up anymore, but it just located in the Notification Area. Is this Normal ?

EDIT 1: Popup seems to be working now on Port 8443

[luckylinux]

@adamoutler: Uhm maybe I was too optimistic and thought your PR with the /server/ Path was merged already.

I'll go back to the separate 8443 Port for a Second here.

[luckylinux]

@adamoutler: No, I tried again with Port 8443 (there are some NS_BINDING_ABORTED for /sse/state?client=client-rgol9o1zm early on, but later on the same Endpoint returns HTTP Status Code 200 so I don't think that's the Issue).

Regardless, there is NO Signout Link displayed at all 😕.

EDIT 1: @adamoutler, did we forget something very simple, like we need maybe to "expose" these Variables from within the Container to the NGINX / PHP Process or something ?

printenv inside my netalertx-server show that the Variable SETPWD_SIGNOUT_LINK_TARGET is correctly set.

I tried to also encapsulate the Link in double Quotes, but that didn't change anything, it's the same:

# Sign-out for Authentik
SETPWD_SIGNOUT_LINK_TARGET=https://netalertx.MYDOMAIN.TLD/outpost.goauthentik.io/sign_out

or

# Sign-out for Authentik
SETPWD_SIGNOUT_LINK_TARGET="https://netalertx.MYDOMAIN.TLD/outpost.goauthentik.io/sign_out"

[adamoutler]

I never used Devcontainers / Codespaces so no clue about how that would work, particularly with something like Authentik which is effectively an "external" Resource (within my LAN).

Devcontainer is wonderful! It builds a container from source code, pulls all the resources required, exposes ports, and puts the IDE inside it so you can make realtime changes. I set up the devcontainer so you can even use VSCode debugger and halt on any line. All you do is open the folder in VSCode and it does the rest. I rarely develop without a devcontainer now.

@adamoutler: is there a Guideline on the use of lower and upper cases in Variable Names by the Way ? It's a bit confusing to have SETPWD_enable_password and SETPWD_SIGNOUT_LINK_TARGET.

@jokob-sk handles more of the internal stuff. I mainly deal with external integration and containerization.

[luckylinux]

Interesting. Maybe then it would be OK with Devcontainer, but for cloud-based Codespaces, I would also need a cloud Instance of Authentik to play along, wouldn't I ?

Faster to do locally (maybe with Devcontainer indeed) IMHO.

[luckylinux]

However, the main Issue is that the Link doesn't show up at all, so there is some Problem with the Environment Variables not being accessible / exposed to PHP-FPM I believe.

I even tried a more permissive setting with variables_order = "EGPCS" but that also failed.

[adamoutler]

Interesting. Maybe then it would be OK with Devcontainer, but for cloud-based Codespaces, I would also need a cloud Instance of Authentik to play along, wouldn't I ?

Faster to do locally (maybe with Devcontainer indeed) IMHO.

Codespaces strength is one-button-press to validate someone's PR or not needing to create another copy on your computer. I usually start on VSCode then address Coderabbit issues in a codespaces.

[luckylinux]

If it works with VSCodium it could be a possibility. No chance of using VSCode on my Personal Computer running Linux 😃.

[adamoutler]

You could highlight the logout button and then ask the AI on the right side of the screen to revise it. Tell it what you're trying to accomplish. Eg. in the event I'm using authellia or authentik I need the logout button to set something. It should be able to handle this. This is what I'd do but I don't have an authentik.

[adamoutler]

If it works with VSCodium it could be a possibility. No chance of using VSCode on my Personal Computer running Linux 😃.

I use Ubuntu on my PC. VSCode works great there.

[luckylinux]

If it works with VSCodium it could be a possibility. No chance of using VSCode on my Personal Computer running Linux 😃.

I use Ubuntu on my PC. VSCode works great there.

That's not the Point 😅. It's more about Privacy and Data Collection. And VSCode Forks have their own Marketplace, and not all Extensions are available.